General

  • Target

    Darkv4.1.zip

  • Size

    44.1MB

  • Sample

    241103-msk6qavnan

  • MD5

    1853f1a674cb65b678c0ab81933b4829

  • SHA1

    a600e16e534e4e5a9e720aad5330db88b60dda1e

  • SHA256

    ea02854cef96b96af46f803076d647a6791ebbfdf6d78506abdc6aee9c61c40a

  • SHA512

    8acd99a7d5f1a089bea241d764bee7572e5c8148042d4e7deb8151e864f337ce167f1baf32ce99aa868ca798736f594189aa16f588564d3c2bed50b0190094df

  • SSDEEP

    786432:v3gG+b7FLIVsBgAJBjiQK+aee5Ui/JyxFoPZ+YEgLuVy3cj6YyUavF5jBt6PYmq9:LCL3tpc9/UFoP31uGo6cavjBaYWIE213

Malware Config

Targets

    • Target

      Dark.exe

    • Size

      11.4MB

    • MD5

      5ab14c71b58489ddd61594baac0afe38

    • SHA1

      0dd719539febb27d7547f0f887fc5cdc0ae94ab0

    • SHA256

      18977bb2a7c6524f958c45665825fe90d4f5dd6de45b44b2c329beb3358b01dd

    • SHA512

      fee9825c4d6fcb9305700f83b764dfa93d07b575b0b5f5019a5c1ac33b00597e14ec11970a739fe814d822b6768060ac0e68c20c5a6d571b39355e3ed8250c80

    • SSDEEP

      196608:fQ1plCLCUx5DILwTrBnuCx5ANcmGtUF9E1TZzGM//sLLccLZgIs0WAF1Wj/ElCjy:fYl58TrBuQANcE9E1Vz0LsVOwj/+

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks